US20220269747A1 - Qr code access restriction without geolocation knowledge - Google Patents

Qr code access restriction without geolocation knowledge Download PDF

Info

Publication number
US20220269747A1
US20220269747A1 US17/179,728 US202117179728A US2022269747A1 US 20220269747 A1 US20220269747 A1 US 20220269747A1 US 202117179728 A US202117179728 A US 202117179728A US 2022269747 A1 US2022269747 A1 US 2022269747A1
Authority
US
United States
Prior art keywords
unique session
session identifier
address
page
website
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/179,728
Inventor
Tam Nguyen
Gerardo FANG
Venkata Sudharsan DASA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Capital One Services LLC
Original Assignee
Capital One Services LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Capital One Services LLC filed Critical Capital One Services LLC
Priority to US17/179,728 priority Critical patent/US20220269747A1/en
Publication of US20220269747A1 publication Critical patent/US20220269747A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9554Retrieval from the web using information identifiers, e.g. uniform resource locators [URL] by using bar codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/42
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity

Definitions

  • Websites can be used to gather information from users for a variety of reasons, such as surveys or pre-approval for services. These websites can be accessed through a variety of means, including readable links such as Quick Response (QR) codes. Users often use mobile devices to read the QR codes, which then allow the users to access the website and enter or receive information. Such readable links may typically be saved by a user for later access. Or, a user may access a website using a readable link, and bookmark the site to visit later. Without having some control over when or where a user enters data into the website, the website owner may lose valuable information about that user or miss out on opportunities to interact with that user.
  • QR Quick Response
  • Disclosed herein are system, method and computer program product embodiments, and/or combinations and sub-combinations thereof for restricting access to a website.
  • a method for controlling access to a website includes receiving a request from a mobile device to access a backend redirect page using an address.
  • the backend redirect page then generates a unique session identifier and an address to the website based on the unique session identifier and redirects a browser on the mobile device to the website using the address.
  • An intake backend for frontend (referred to herein as IBFF or intake BFF) verifies whether the unique session identifier for the address is valid and either grants or denies the mobile device access to the website based on the validity of the unique session identifier.
  • a system for controlling access to the website has processors and memory connected and stores instructions that provide a website with pages having configurable addresses.
  • the system also provides a backend redirect page configured to, in response to receiving a request to access the backend redirect page from a mobile device using an address, generate a unique session identifier, configure the configurable addresses based on the unique session identifier, redirect the browser on the mobile device to a page from in the website using the configured address for that page, and determine whether unique session identifiers corresponding to the configured addresses are valid.
  • the system further provides an intake backend for frontend configured to, in response to receiving a request from the mobile device to access a page of the website, query the backend redirect page to determine whether the unique session identifier corresponding to the configured address of the page is valid and, based on the query, either grant or deny the mobile device access to the website based on the validity of the unique session identifier.
  • FIG. 1 illustrates a block diagram of an example environment in which systems and methods described herein may be implemented, according to some embodiments.
  • FIG. 2 is a flowchart illustrating a method for performing access restriction to a website, according to some embodiments.
  • FIG. 3 depicts an example computer system useful for implementing various embodiments.
  • a website owner may be interested in restricting access to users based on user location. This may have to do with the nature of the service provided through the website or be based on the desire or necessity of having someone on hand to assist the user in interacting with the website. Even if the website owner only provides the user with website details when the user is at a specific location, the user may be able to use a bookmark to access the website later. This may allow the user to re-visit the website when they potentially cannot properly make use of the services, such as after leaving a location associated with the service.
  • some websites have intake forms that collect user information to provide a service, such as determining whether a user qualifies for a car loan at a car dealership. Because specific details of the sale are needed to finalize the loan and calculate, for example, a monthly payment or eligible APR, the dealership and/or the bank servicing the loan may want to restrict access to the website to only when the user is at the car dealership. This allows the user to receive help from salespeople and actually evaluate and process the loan, if the user desires. It can also help avoid problems where users fill out the forms on their own and show up at the car dealership expecting a loan, only to find out that there is some issue with how they filled out the forms, or some difference in how they calculated the value or price of a car to be purchased.
  • One way to control access is to have the user provide location information from the user's mobile device. This can effectively restrict access based on where the user is located. Even if the user uses a bookmark to access the website later, their location information will prevent them from accessing the website. However, users often decline to or are unable to provide location-based information from their mobile devices due to privacy concerns. This can result in problems accessing the website even when the user is at the proper location, such as at the business.
  • a website owner may use backend network services to restrict access to the website.
  • the website owner may provide a machine-readable link, such as a QR code, to a user.
  • This QR code accesses a redirect page that does not visibly load in the user's web browser.
  • the redirect page which may be hosted on the backend of the network, may initiate a new session for the user and generate a unique session ID for the session, then redirect the user to the website.
  • the address for the website can be dynamic and include information that links the address to the unique session ID.
  • Backend services can monitor visits to the website based on the unique session ID determined from the dynamic address.
  • the backend services can determine whether the unique session ID is valid based on various parameters, such as how long it has been since the associated session was started. Once the unique session ID has become invalid (e.g., expires), the backend services block the user from accessing the website.
  • the user can scan the QR code and navigate directly to the website without even noticing that the redirect is taking place.
  • the user can interact with the website based on parameters controlled by the website owner. However, all of the control is transparent to the user, as it is handled on the backend of the network. The user is not required to disclose any personal data, such as the location information from their mobile device. While the user can bookmark the website address, once the unique session ID associated with the dynamic address is invalidated, the user will have to return to the original QR code to start a new session. A website owner will thus be able to control access to the website based on where the user has access to the QR code and prevent or limit unintended or undesired access to the websites by users.
  • FIG. 1 illustrates a block diagram of an example environment 100 in which systems and methods described herein may be implemented, according to some embodiments.
  • the example environment 100 includes a website 110 , a mobile device 120 , a machine-readable indicia 130 , a backend platform 140 , and a network 150 .
  • the website 110 may be accessible to the mobile device 120 and the backend platform 140 through the network 150 .
  • the website may be connected to the backend platform 140 through a direct connection, as indicated by the dotted line between the two.
  • the website 110 and the backend platform may be hosted together in a server or hosted in different servers that are connected through the network 150 or a cloud.
  • the network 150 may be a single network or several networks connected through the internet.
  • the website 110 may be deployed to provide a service to users.
  • the website 110 may have an intake page 112 and website pages 114 .
  • the intake page 112 may be a home page, main page, or landing page where a user may begin to navigate the website 110 .
  • the website pages 114 may be other pages in the website 110 or sub-pages of the intake page 112 .
  • the website 110 may use configurable or dynamic addresses for the intake page 112 and the website pages 114 .
  • the configurable addresses allow a page 112 to be accessed with different addresses, where each address is associated with a specific user or user session.
  • a car dealership may wish to provide a service for connecting a customer with a bank such that the customer can be pre-approved for an auto loan.
  • This can be accomplished through a website 110 with an intake page 112 for an application where the customer can fill out their information.
  • the customer accesses each of the website pages 114 to finish providing the necessary information.
  • the configurable address may each be modified to identify the specific customer or instance for which the application is being completed. Once the forms are finished, the customer may submit their application from the website for review.
  • Access to the website 110 may be provided through a link, which the user may access through their mobile device 120 .
  • the mobile device 120 may be a smart phone, tablet, or other portable electronic device capable of accessing the internet.
  • the link may be provided in the form of a machine-readable indicia 130 , such as a QR code.
  • Receiving the link may cause the mobile device 120 to access a redirect or proxy page that is managed by the backend redirect page 142 in the backend platform 140 .
  • the backend redirect page 142 may be a QR service that does not render a webpage, but instead redirects the user's browser to the intake page 112 . Because the redirect page is not rendered or loaded in the browser, the user does not have an opportunity to bookmark the link or address of the redirect page.
  • the link may be associated with a specific location.
  • a business may have different machine-readable indicia 130 for different business locations. This may allow the website owner to track which business location provided the user access to the system. It also may allow the link to access a specific backend redirect page 142 on a backend platform 140 that services the specific business location.
  • the link may be associated with a specific person.
  • an employee in a business may have a machine-readable indicia 130 which accesses the backend redirect page 142 , but which is unique or includes an identifier of the individual employee. This may allow the website owner to track which employee provided the user access to the system.
  • the backend redirect page 142 may generate a unique session identifier (ID) for the user.
  • ID unique session identifier
  • the configurable addresses for the website 110 are configured based on the unique session ID, such as including the unique session ID in the web address for the intake page 112 and the website pages 114 .
  • the unique session ID may be added to a session list of sessions. This session list may contain unique session IDs of sessions that have been activated.
  • the backend platform 140 may have a session monitor 146 that keeps track of a time since the unique session ID was generated.
  • the predetermined session length may be, for example, thirty minutes, one hour, or an estimated length of time for a user to complete the forms of the website 110 .
  • the session monitor 146 may remove the unique session ID from the session list.
  • the session monitor 146 is part of the backend redirect page 142 .
  • the session list may be stored in the backend redirect page 142 or the session monitor 146 .
  • the backend redirect page 142 and the session monitor 146 may be in communication with each other to modify and maintain the session list.
  • the backend platform 140 may have an intake backend for frontend (referred to herein as IBFF or intake BFF) 144 for controlling access to the website 110 .
  • the intake BFF 144 may receive requests for access to the intake page 112 or the website pages 114 , such as from a mobile device 120 , and extract the unique session ID from the web address that is used to request access.
  • the intake BFF 144 may contact the backend redirect page 142 or the session monitor 146 to verify whether the unique session ID is valid.
  • the backend redirect page 142 or the session monitor 146 may check whether the unique session ID is valid and then report that information back to the intake BFF 144 .
  • the intake BFF 144 grants the mobile device 120 access to the intake page 112 or one of the website pages 114 , depending on which page the mobile device 120 requested access to. If the unique session ID is not valid, the intake BFF 144 denies the mobile device 120 access.
  • a QR code or similar readable link takes a user directly to the webpage of interest, or requires location data from a user for any kind of location restrictions to be operable.
  • Embodiments described herein allow the website owner to limit access to the website based on a user's location without actually requiring any location data to be sent to the website from the user or user's device.
  • the user in order to access the website 110 , the user must have a valid unique session ID, which can only be obtained by scanning the machine-readable indicia 130 and accessing the backend redirect page 142 .
  • This unique session ID may only be valid for a limited time. For example, a timer may be started or a first timestamp may be generated when the user first accesses backend redirect page 142 .
  • the unique session ID may be invalidated when the timer is active longer than a predetermined amount of time or after a predetermined amount of time has passed since the first timestamp.
  • the timer is reset or a second timestamp is generated and replaces the first timestamp. This may prevent the user's session from ending prematurely while still using the website 110 .
  • the user may not be able to bookmark the backend redirect page 142 because it is not loaded in the browser.
  • the user may only bookmark pages in the website 110 , such as intake page 112 or website page 114 . No new unique session ID will be generated by accessing such pages, even if the user intends to start a new session, as new unique session IDs are only generated by accessing the backend redirect page 142 .
  • the user tries to access the website 110 directly using one of the dynamic addresses that was generated for their last session (e.g., through the bookmark of intake page 112 ), they will be using the unique session ID of that specific dynamic address. They will only be able to access the website 110 if the previous unique session ID is still valid.
  • the website owner can limit to specific locations access to the machine-readable indicia 130 . Essentially, the user will be limited based on when and where the machine-readable indicia 130 is available to start a new session.
  • employees at a business location may be the only ones who can provide the machine-readable indicia 130 .
  • customers would only be able to access the website 110 at the business location and for a short time thereafter.
  • the business can thus restrict access to the website without having to violate the privacy of the customer or request the customer to disclose the location information of their mobile device.
  • FIG. 2 is a flowchart illustrating a method 200 for performing access restriction to a website, according to some embodiments.
  • Method 200 can be performed by processing logic that can comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions executing on a processing device), or a combination thereof. It is to be appreciated that not all steps may be needed to perform the disclosure provided herein. Further, some of the steps can be performed simultaneously or in a different order than shown in FIG. 2 , as will be understood by a person of ordinary skill in the art.
  • Method 200 shall be described with reference to FIG. 1 . However, method 200 is not limited to that example embodiment.
  • the backend redirect page 142 receives a request from the mobile device 120 to access the backend redirect page 142 through a link.
  • the link may be the machine-readable indicia 130 or may be encoded into the machine-readable indicia 130 , and the link may be activated using an electronic reader on the mobile device 120 .
  • the link is a QR code
  • the electronic reader may be a QR code reader. Activating the link may access the backend redirect page 142 using an address encoded into the machine-readable indicia 130 .
  • the backend redirect page 142 generates a unique session ID and the session monitor 146 starts a session timer.
  • the backend redirect page 142 may store the unique session ID in a list of active sessions.
  • the list of active sessions may be specific to the intake page 112 associated with the link.
  • the list of active sessions may include an activity identifier for which the unique session ID has been assigned, the session timer for the unique session identifier, and a personnel or employee identifier. These may each be associated with the unique session ID to which they correspond.
  • the activity identifier may identify the specific website 110 or the type of activity that a user is performing on website 110 .
  • the personnel identifier may be based on or encoded into the machine-readable indicia 130 activated by the mobile device 120 .
  • a user initiating a session may be assigned a unique session ID for that session with a corresponding session timer indicating when the session started, an activity identifier indicating that the user is filling out a form to be pre-approved for an auto loan, and an employee identifier indicating a salesman who is helping the user.
  • This information may be stored in the list of active sessions as an entry for the session.
  • the backend redirect page 142 may configure configurable or dynamic addresses for pages in the website 110 , such as intake page 112 and website pages 114 , using the unique session ID.
  • the dynamic addresses may be based on or include the unique session ID in the address.
  • the unique session ID may be appended to the end of part of a website address, or embedded within part of the website address.
  • the backend redirect page 142 redirects the mobile device 120 to the website 110 using the dynamic address based on unique session ID.
  • the backend redirect page 142 may redirect the mobile device 120 from the backend redirect page 142 to a page in the website 110 , such as intake page 112 or one of the website pages 114 using the dynamic address for the intake page 112 that was configured in step 220 . It is to be understood that the first time a user accesses the website 110 in a given session, the user is directed to the intake page 112 , but that future access to the website 110 will navigate to pages based on the links selected, such as links on the intake page 112 or website pages 114 that connect to other pages in the website pages 114 .
  • the mobile device 120 may attempt to load the page of the website 110 in a browser on the mobile device 120 using the dynamic address.
  • the website 110 may generate a request to verify the unique session ID associated with the dynamic address for the page.
  • the backend redirect page 142 and the intake BFF 144 verify the unique session ID.
  • the intake BFF 144 may receive a request to access the website 110 from the mobile device 120 's attempt to access the website 110 in step 230 . This request may come, for example, from the website 110 .
  • the intake BFF 144 may determine the unique session ID from the dynamic address used in the access request. For example, if the dynamic address includes the unique session ID as part of the dynamic address, the intake BFF will extract the unique session ID from that portion of the dynamic address.
  • the intake BFF 144 may send the determined unique session ID to the backend redirect page 142 for verification.
  • the backend redirect page 142 may compare the unique session ID to a list of the active sessions that are valid.
  • the backend redirect page 142 determines whether the unique session ID is valid. If the unique session ID is present in the list of active sessions, then the unique session ID is considered to be valid. If the unique session ID is not present in the list of active sessions, then the unique session ID is considered to be invalid. The backend redirect page 142 then provides the validation result to the intake BFF 144 , which then takes the appropriate action.
  • the functions of the backend redirect page 142 in steps 240 and 245 may be performed by both the backend redirect page 142 and the session monitor 146 or by the session monitor 146 alone.
  • the method 200 proceeds to step 250 .
  • the intake BFF 144 grants the mobile device 120 access to the website 110 .
  • the method 200 may then return to step 230 .
  • the method 200 proceeds to step 255 .
  • the intake BFF 144 denies the mobile device 120 access to the website 110 .
  • the method 200 may then terminate for the given access attempt.
  • step 230 also proceeds to step 260 .
  • the backend platform 140 determines whether the session timer is greater than a predetermined session length. This may be performed by the session monitor 146 , the backend redirect page 142 , or both. In some embodiments, the session timer is maintained within the list of active sessions.
  • method 200 proceeds to step 265 .
  • the session monitor 146 or the backend redirect page 142 invalidate the unique session ID. This may be accomplished by removing the unique session ID from the list of active sessions.
  • step 270 the session monitor 146 or the backend redirect page 142 maintains the unique session ID in the list of active sessions. Maintaining the list of active sessions may not require a specific action to be taken, as the list of active sessions may be stored or maintained in memory that is part of or allocated to the backend redirect page 142 or the session monitor 146 .
  • Step 270 may return to step 260 to further monitor the session timer. It should be understood that steps 260 , 265 , and 270 may be performed continually or periodically as time passes to ensure that unique session IDs are maintained or invalidated. Thus, these steps may be performed for any unique session ID generated by step 220 during and between other steps of method 200 .
  • a unique session ID becomes invalid while the user is using the website 110 but before completion, the user is denied access to the website page 114 when the user attempts to access the next website page 114 .
  • the user In order to access the website 110 again, the user must rescan the machine readable indicia 130 to generate a new unique session ID.
  • FIG. 3 depicts an example computer system useful for implementing various embodiments.
  • FIG. 3 Various embodiments may be implemented, for example, using one or more well-known computer systems, such as computer system 300 shown in FIG. 3 .
  • One or more computer systems 300 may be used, for example, to implement any of the embodiments discussed herein, as well as combinations and sub-combinations thereof.
  • Computer system 300 may include one or more processors (also called central processing units, or CPUs), such as a processor 304 .
  • processors also called central processing units, or CPUs
  • Processor 304 may be connected to a communication infrastructure or bus 306 .
  • Computer system 300 may also include user input/output device(s) 303 , such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 306 through user input/output interface(s) 302 .
  • user input/output device(s) 303 such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 306 through user input/output interface(s) 302 .
  • processors 304 may be a graphics processing unit (GPU).
  • a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications.
  • the GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.
  • Computer system 300 may also include a main or primary memory 308 , such as random access memory (RAM).
  • Main memory 308 may include one or more levels of cache.
  • Main memory 308 may have stored therein control logic (i.e., computer software) and/or data.
  • Computer system 300 may also include one or more secondary storage devices or memory 310 .
  • Secondary memory 310 may include, for example, a hard disk drive 312 and/or a removable storage device or drive 314 .
  • Removable storage drive 314 may be a floppy disk drive, a magnetic tape drive, a compact disk drive, an optical storage device, tape backup device, and/or any other storage device/drive.
  • Removable storage drive 314 may interact with a removable storage unit 318 .
  • Removable storage unit 318 may include a computer usable or readable storage device having stored thereon computer software (control logic) and/or data.
  • Removable storage unit 318 may be a floppy disk, magnetic tape, compact disk, DVD, optical storage disk, and/any other computer data storage device.
  • Removable storage drive 314 may read from and/or write to removable storage unit 318 .
  • Secondary memory 310 may include other means, devices, components, instrumentalities or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 300 .
  • Such means, devices, components, instrumentalities or other approaches may include, for example, a removable storage unit 322 and an interface 320 .
  • Examples of the removable storage unit 322 and the interface 320 may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.
  • Computer system 300 may further include a communication or network interface 324 .
  • Communication interface 324 may enable computer system 300 to communicate and interact with any combination of external devices, external networks, external entities, etc. (individually and collectively referenced by reference number 328 ).
  • communication interface 324 may allow computer system 300 to communicate with external or remote devices 328 over communications path 326 , which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc.
  • Control logic and/or data may be transmitted to and from computer system 300 via communication path 326 .
  • Computer system 300 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smart phone, smart watch or other wearable, appliance, part of the Internet-of-Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof.
  • PDA personal digital assistant
  • Computer system 300 may be a client or server, accessing or hosting any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software (“on-premise” cloud-based solutions); “as a service” models (e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infrastructure as a service (IaaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms.
  • “as a service” models e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a
  • Any applicable data structures, file formats, and schemas in computer system 300 may be derived from standards including but not limited to JavaScript Object Notation (JSON), Extensible Markup Language (XML), Yet Another Markup Language (YAML), Extensible Hypertext Markup Language (XHTML), Wireless Markup Language (WML), MessagePack, XML User Interface Language (XUL), or any other functionally similar representations alone or in combination.
  • JSON JavaScript Object Notation
  • XML Extensible Markup Language
  • YAML Yet Another Markup Language
  • XHTML Extensible Hypertext Markup Language
  • WML Wireless Markup Language
  • MessagePack XML User Interface Language
  • XUL XML User Interface Language
  • a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having control logic (software) stored thereon may also be referred to herein as a computer program product or program storage device.
  • control logic software stored thereon
  • control logic when executed by one or more data processing devices (such as computer system 300 ), may cause such data processing devices to operate as described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided herein are system, method and/or computer program product embodiments, and/or combinations and sub-combinations thereof for controlling access to a website. In some embodiments, a user scans a machine-readable indicia with their mobile device to access a backend redirect page. The backend redirect page receives the access request, generates a unique session identifier, and configures a dynamic address based on the unique session identifier. The backend redirect page redirects the mobile device to an intake page of a website using the dynamic address for that page. Whenever the user attempts to load a page in the website using the corresponding dynamic address, an intake backend for frontend verifies the validity of the unique session identifier associated with the dynamic address. A session monitor tracks the amount of time since the unique session identifier was generated and invalidates the unique session identifier after a predetermined amount of time has passed.

Description

    BACKGROUND
  • Websites can be used to gather information from users for a variety of reasons, such as surveys or pre-approval for services. These websites can be accessed through a variety of means, including readable links such as Quick Response (QR) codes. Users often use mobile devices to read the QR codes, which then allow the users to access the website and enter or receive information. Such readable links may typically be saved by a user for later access. Or, a user may access a website using a readable link, and bookmark the site to visit later. Without having some control over when or where a user enters data into the website, the website owner may lose valuable information about that user or miss out on opportunities to interact with that user.
    • BRIEF SUMMARY
  • Disclosed herein are system, method and computer program product embodiments, and/or combinations and sub-combinations thereof for restricting access to a website.
  • In an embodiment, a method for controlling access to a website includes receiving a request from a mobile device to access a backend redirect page using an address. The backend redirect page then generates a unique session identifier and an address to the website based on the unique session identifier and redirects a browser on the mobile device to the website using the address. An intake backend for frontend (referred to herein as IBFF or intake BFF) verifies whether the unique session identifier for the address is valid and either grants or denies the mobile device access to the website based on the validity of the unique session identifier.
  • In an embodiment, a system for controlling access to the website has processors and memory connected and stores instructions that provide a website with pages having configurable addresses. The system also provides a backend redirect page configured to, in response to receiving a request to access the backend redirect page from a mobile device using an address, generate a unique session identifier, configure the configurable addresses based on the unique session identifier, redirect the browser on the mobile device to a page from in the website using the configured address for that page, and determine whether unique session identifiers corresponding to the configured addresses are valid. The system further provides an intake backend for frontend configured to, in response to receiving a request from the mobile device to access a page of the website, query the backend redirect page to determine whether the unique session identifier corresponding to the configured address of the page is valid and, based on the query, either grant or deny the mobile device access to the website based on the validity of the unique session identifier.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying drawings, which are incorporated herein and form a part of the specification, illustrate embodiments of the present disclosure and, together with the description, further serve to explain the principles of the disclosure and to enable a person skilled in the art(s) to make and use the embodiments.
  • FIG. 1 illustrates a block diagram of an example environment in which systems and methods described herein may be implemented, according to some embodiments.
  • FIG. 2 is a flowchart illustrating a method for performing access restriction to a website, according to some embodiments.
  • FIG. 3 depicts an example computer system useful for implementing various embodiments.
    •
  • In the drawings, like reference numbers generally indicate identical or similar elements. Additionally, generally, the left-most digit(s) of a reference number identifies the drawing in which the reference number first appears.
    • DETAILED DESCRIPTION
  • Provided herein are system, method and/or computer program product embodiments, and/or combinations and sub-combinations thereof, for restricting access to a website.
  • A website owner may be interested in restricting access to users based on user location. This may have to do with the nature of the service provided through the website or be based on the desire or necessity of having someone on hand to assist the user in interacting with the website. Even if the website owner only provides the user with website details when the user is at a specific location, the user may be able to use a bookmark to access the website later. This may allow the user to re-visit the website when they potentially cannot properly make use of the services, such as after leaving a location associated with the service.
  • As an example, some websites have intake forms that collect user information to provide a service, such as determining whether a user qualifies for a car loan at a car dealership. Because specific details of the sale are needed to finalize the loan and calculate, for example, a monthly payment or eligible APR, the dealership and/or the bank servicing the loan may want to restrict access to the website to only when the user is at the car dealership. This allows the user to receive help from salespeople and actually evaluate and process the loan, if the user desires. It can also help avoid problems where users fill out the forms on their own and show up at the car dealership expecting a loan, only to find out that there is some issue with how they filled out the forms, or some difference in how they calculated the value or price of a car to be purchased.
  • One way to control access is to have the user provide location information from the user's mobile device. This can effectively restrict access based on where the user is located. Even if the user uses a bookmark to access the website later, their location information will prevent them from accessing the website. However, users often decline to or are unable to provide location-based information from their mobile devices due to privacy concerns. This can result in problems accessing the website even when the user is at the proper location, such as at the business.
  • As another approach, and in accordance with embodiments of the present invention, a website owner may use backend network services to restrict access to the website. For example, the website owner may provide a machine-readable link, such as a QR code, to a user. This QR code accesses a redirect page that does not visibly load in the user's web browser. The redirect page, which may be hosted on the backend of the network, may initiate a new session for the user and generate a unique session ID for the session, then redirect the user to the website. The address for the website can be dynamic and include information that links the address to the unique session ID. Backend services can monitor visits to the website based on the unique session ID determined from the dynamic address. The backend services can determine whether the unique session ID is valid based on various parameters, such as how long it has been since the associated session was started. Once the unique session ID has become invalid (e.g., expires), the backend services block the user from accessing the website.
  • From the user side, the user can scan the QR code and navigate directly to the website without even noticing that the redirect is taking place. The user can interact with the website based on parameters controlled by the website owner. However, all of the control is transparent to the user, as it is handled on the backend of the network. The user is not required to disclose any personal data, such as the location information from their mobile device. While the user can bookmark the website address, once the unique session ID associated with the dynamic address is invalidated, the user will have to return to the original QR code to start a new session. A website owner will thus be able to control access to the website based on where the user has access to the QR code and prevent or limit unintended or undesired access to the websites by users.
  • FIG. 1 illustrates a block diagram of an example environment 100 in which systems and methods described herein may be implemented, according to some embodiments. The example environment 100 includes a website 110, a mobile device 120, a machine-readable indicia 130, a backend platform 140, and a network 150. The website 110 may be accessible to the mobile device 120 and the backend platform 140 through the network 150. The website may be connected to the backend platform 140 through a direct connection, as indicated by the dotted line between the two. The website 110 and the backend platform may be hosted together in a server or hosted in different servers that are connected through the network 150 or a cloud. The network 150 may be a single network or several networks connected through the internet.
  • In some embodiments, the website 110 may be deployed to provide a service to users. The website 110 may have an intake page 112 and website pages 114. The intake page 112 may be a home page, main page, or landing page where a user may begin to navigate the website 110. The website pages 114 may be other pages in the website 110 or sub-pages of the intake page 112.
  • The website 110 may use configurable or dynamic addresses for the intake page 112 and the website pages 114. The configurable addresses allow a page 112 to be accessed with different addresses, where each address is associated with a specific user or user session.
  • For example, a car dealership may wish to provide a service for connecting a customer with a bank such that the customer can be pre-approved for an auto loan. This can be accomplished through a website 110 with an intake page 112 for an application where the customer can fill out their information. As the customer proceeds through the application process, the customer accesses each of the website pages 114 to finish providing the necessary information. The configurable address may each be modified to identify the specific customer or instance for which the application is being completed. Once the forms are finished, the customer may submit their application from the website for review.
  • Access to the website 110 may be provided through a link, which the user may access through their mobile device 120. The mobile device 120 may be a smart phone, tablet, or other portable electronic device capable of accessing the internet. In an embodiment, the link may be provided in the form of a machine-readable indicia 130, such as a QR code.
  • Receiving the link may cause the mobile device 120 to access a redirect or proxy page that is managed by the backend redirect page 142 in the backend platform 140. The backend redirect page 142 may be a QR service that does not render a webpage, but instead redirects the user's browser to the intake page 112. Because the redirect page is not rendered or loaded in the browser, the user does not have an opportunity to bookmark the link or address of the redirect page.
  • The link may be associated with a specific location. For example, a business may have different machine-readable indicia 130 for different business locations. This may allow the website owner to track which business location provided the user access to the system. It also may allow the link to access a specific backend redirect page 142 on a backend platform 140 that services the specific business location.
  • The link may be associated with a specific person. For example, an employee in a business may have a machine-readable indicia 130 which accesses the backend redirect page 142, but which is unique or includes an identifier of the individual employee. This may allow the website owner to track which employee provided the user access to the system.
  • The backend redirect page 142 may generate a unique session identifier (ID) for the user. In some embodiments, the configurable addresses for the website 110 are configured based on the unique session ID, such as including the unique session ID in the web address for the intake page 112 and the website pages 114. The unique session ID may be added to a session list of sessions. This session list may contain unique session IDs of sessions that have been activated.
  • The backend platform 140 may have a session monitor 146 that keeps track of a time since the unique session ID was generated. The predetermined session length may be, for example, thirty minutes, one hour, or an estimated length of time for a user to complete the forms of the website 110. When the time exceeds the predetermined session length, the session monitor 146 may remove the unique session ID from the session list. In some embodiments, the session monitor 146 is part of the backend redirect page 142.
  • The session list may be stored in the backend redirect page 142 or the session monitor 146. The backend redirect page 142 and the session monitor 146 may be in communication with each other to modify and maintain the session list.
  • The backend platform 140 may have an intake backend for frontend (referred to herein as IBFF or intake BFF) 144 for controlling access to the website 110. The intake BFF 144 may receive requests for access to the intake page 112 or the website pages 114, such as from a mobile device 120, and extract the unique session ID from the web address that is used to request access. The intake BFF 144 may contact the backend redirect page 142 or the session monitor 146 to verify whether the unique session ID is valid. The backend redirect page 142 or the session monitor 146 may check whether the unique session ID is valid and then report that information back to the intake BFF 144. If the unique session ID is valid, the intake BFF 144 grants the mobile device 120 access to the intake page 112 or one of the website pages 114, depending on which page the mobile device 120 requested access to. If the unique session ID is not valid, the intake BFF 144 denies the mobile device 120 access.
  • Typically, a QR code or similar readable link takes a user directly to the webpage of interest, or requires location data from a user for any kind of location restrictions to be operable. Embodiments described herein allow the website owner to limit access to the website based on a user's location without actually requiring any location data to be sent to the website from the user or user's device.
  • In embodiments of the present invention, in order to access the website 110, the user must have a valid unique session ID, which can only be obtained by scanning the machine-readable indicia 130 and accessing the backend redirect page 142. This unique session ID may only be valid for a limited time. For example, a timer may be started or a first timestamp may be generated when the user first accesses backend redirect page 142. The unique session ID may be invalidated when the timer is active longer than a predetermined amount of time or after a predetermined amount of time has passed since the first timestamp. In some embodiments, after a user accesses a page in website 110, such as intake page 112 or website page 114, the timer is reset or a second timestamp is generated and replaces the first timestamp. This may prevent the user's session from ending prematurely while still using the website 110.
  • The user may not be able to bookmark the backend redirect page 142 because it is not loaded in the browser. The user may only bookmark pages in the website 110, such as intake page 112 or website page 114. No new unique session ID will be generated by accessing such pages, even if the user intends to start a new session, as new unique session IDs are only generated by accessing the backend redirect page 142.
  • If the user tries to access the website 110 directly using one of the dynamic addresses that was generated for their last session (e.g., through the bookmark of intake page 112), they will be using the unique session ID of that specific dynamic address. They will only be able to access the website 110 if the previous unique session ID is still valid. By setting the predetermined time limit, the website owner can limit to specific locations access to the machine-readable indicia 130. Essentially, the user will be limited based on when and where the machine-readable indicia 130 is available to start a new session.
  • For example, employees at a business location may be the only ones who can provide the machine-readable indicia 130. As a result, customers would only be able to access the website 110 at the business location and for a short time thereafter. The business can thus restrict access to the website without having to violate the privacy of the customer or request the customer to disclose the location information of their mobile device.
  • FIG. 2 is a flowchart illustrating a method 200 for performing access restriction to a website, according to some embodiments. Method 200 can be performed by processing logic that can comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions executing on a processing device), or a combination thereof. It is to be appreciated that not all steps may be needed to perform the disclosure provided herein. Further, some of the steps can be performed simultaneously or in a different order than shown in FIG. 2, as will be understood by a person of ordinary skill in the art.
  • Method 200 shall be described with reference to FIG. 1. However, method 200 is not limited to that example embodiment.
  • In 210, the backend redirect page 142 receives a request from the mobile device 120 to access the backend redirect page 142 through a link. The link may be the machine-readable indicia 130 or may be encoded into the machine-readable indicia 130, and the link may be activated using an electronic reader on the mobile device 120. For example, if the link is a QR code, the electronic reader may be a QR code reader. Activating the link may access the backend redirect page 142 using an address encoded into the machine-readable indicia 130.
  • In 220, the backend redirect page 142 generates a unique session ID and the session monitor 146 starts a session timer. The backend redirect page 142 may store the unique session ID in a list of active sessions. The list of active sessions may be specific to the intake page 112 associated with the link.
  • The list of active sessions may include an activity identifier for which the unique session ID has been assigned, the session timer for the unique session identifier, and a personnel or employee identifier. These may each be associated with the unique session ID to which they correspond. The activity identifier may identify the specific website 110 or the type of activity that a user is performing on website 110. The personnel identifier may be based on or encoded into the machine-readable indicia 130 activated by the mobile device 120.
  • For example, a user initiating a session may be assigned a unique session ID for that session with a corresponding session timer indicating when the session started, an activity identifier indicating that the user is filling out a form to be pre-approved for an auto loan, and an employee identifier indicating a salesman who is helping the user. This information may be stored in the list of active sessions as an entry for the session.
  • The backend redirect page 142 may configure configurable or dynamic addresses for pages in the website 110, such as intake page 112 and website pages 114, using the unique session ID. The dynamic addresses may be based on or include the unique session ID in the address. For example, the unique session ID may be appended to the end of part of a website address, or embedded within part of the website address.
  • In 230, the backend redirect page 142 redirects the mobile device 120 to the website 110 using the dynamic address based on unique session ID. The backend redirect page 142 may redirect the mobile device 120 from the backend redirect page 142 to a page in the website 110, such as intake page 112 or one of the website pages 114 using the dynamic address for the intake page 112 that was configured in step 220. It is to be understood that the first time a user accesses the website 110 in a given session, the user is directed to the intake page 112, but that future access to the website 110 will navigate to pages based on the links selected, such as links on the intake page 112 or website pages 114 that connect to other pages in the website pages 114.
  • The mobile device 120 may attempt to load the page of the website 110 in a browser on the mobile device 120 using the dynamic address. The website 110 may generate a request to verify the unique session ID associated with the dynamic address for the page.
  • In 240, the backend redirect page 142 and the intake BFF 144 verify the unique session ID. The intake BFF 144 may receive a request to access the website 110 from the mobile device 120's attempt to access the website 110 in step 230. This request may come, for example, from the website 110. The intake BFF 144 may determine the unique session ID from the dynamic address used in the access request. For example, if the dynamic address includes the unique session ID as part of the dynamic address, the intake BFF will extract the unique session ID from that portion of the dynamic address.
  • The intake BFF 144 may send the determined unique session ID to the backend redirect page 142 for verification. The backend redirect page 142 may compare the unique session ID to a list of the active sessions that are valid.
  • In 245, the backend redirect page 142 determines whether the unique session ID is valid. If the unique session ID is present in the list of active sessions, then the unique session ID is considered to be valid. If the unique session ID is not present in the list of active sessions, then the unique session ID is considered to be invalid. The backend redirect page 142 then provides the validation result to the intake BFF 144, which then takes the appropriate action.
  • In some embodiments, the functions of the backend redirect page 142 in steps 240 and 245 may be performed by both the backend redirect page 142 and the session monitor 146 or by the session monitor 146 alone.
  • For valid unique session IDs, the method 200 proceeds to step 250. In 250, the intake BFF 144 grants the mobile device 120 access to the website 110. The method 200 may then return to step 230.
  • For invalid unique session IDs, the method 200 proceeds to step 255. In 255, the intake BFF 144 denies the mobile device 120 access to the website 110. The method 200 may then terminate for the given access attempt.
  • As a related but separate function in the method 200, step 230 also proceeds to step 260. In 260, the backend platform 140 determines whether the session timer is greater than a predetermined session length. This may be performed by the session monitor 146, the backend redirect page 142, or both. In some embodiments, the session timer is maintained within the list of active sessions.
  • If the session timer is greater than the predetermined session length, then method 200 proceeds to step 265. In 265, the session monitor 146 or the backend redirect page 142 invalidate the unique session ID. This may be accomplished by removing the unique session ID from the list of active sessions.
  • If the session timer is less than the predetermined session length, then method 200 proceeds to step 270. In 270, the session monitor 146 or the backend redirect page 142 maintains the unique session ID in the list of active sessions. Maintaining the list of active sessions may not require a specific action to be taken, as the list of active sessions may be stored or maintained in memory that is part of or allocated to the backend redirect page 142 or the session monitor 146.
  • Step 270 may return to step 260 to further monitor the session timer. It should be understood that steps 260, 265, and 270 may be performed continually or periodically as time passes to ensure that unique session IDs are maintained or invalidated. Thus, these steps may be performed for any unique session ID generated by step 220 during and between other steps of method 200.
  • In some embodiments, when a unique session ID becomes invalid while the user is using the website 110 but before completion, the user is denied access to the website page 114 when the user attempts to access the next website page 114. In order to access the website 110 again, the user must rescan the machine readable indicia 130 to generate a new unique session ID.
  • FIG. 3 depicts an example computer system useful for implementing various embodiments.
  • Various embodiments may be implemented, for example, using one or more well-known computer systems, such as computer system 300 shown in FIG. 3. One or more computer systems 300 may be used, for example, to implement any of the embodiments discussed herein, as well as combinations and sub-combinations thereof.
  • Computer system 300 may include one or more processors (also called central processing units, or CPUs), such as a processor 304. Processor 304 may be connected to a communication infrastructure or bus 306.
  • Computer system 300 may also include user input/output device(s) 303, such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 306 through user input/output interface(s) 302.
  • One or more of processors 304 may be a graphics processing unit (GPU). In an embodiment, a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications. The GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.
  • Computer system 300 may also include a main or primary memory 308, such as random access memory (RAM). Main memory 308 may include one or more levels of cache. Main memory 308 may have stored therein control logic (i.e., computer software) and/or data.
  • Computer system 300 may also include one or more secondary storage devices or memory 310. Secondary memory 310 may include, for example, a hard disk drive 312 and/or a removable storage device or drive 314. Removable storage drive 314 may be a floppy disk drive, a magnetic tape drive, a compact disk drive, an optical storage device, tape backup device, and/or any other storage device/drive.
  • Removable storage drive 314 may interact with a removable storage unit 318. Removable storage unit 318 may include a computer usable or readable storage device having stored thereon computer software (control logic) and/or data. Removable storage unit 318 may be a floppy disk, magnetic tape, compact disk, DVD, optical storage disk, and/any other computer data storage device. Removable storage drive 314 may read from and/or write to removable storage unit 318.
  • Secondary memory 310 may include other means, devices, components, instrumentalities or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 300. Such means, devices, components, instrumentalities or other approaches may include, for example, a removable storage unit 322 and an interface 320. Examples of the removable storage unit 322 and the interface 320 may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.
  • Computer system 300 may further include a communication or network interface 324. Communication interface 324 may enable computer system 300 to communicate and interact with any combination of external devices, external networks, external entities, etc. (individually and collectively referenced by reference number 328). For example, communication interface 324 may allow computer system 300 to communicate with external or remote devices 328 over communications path 326, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 300 via communication path 326.
  • Computer system 300 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smart phone, smart watch or other wearable, appliance, part of the Internet-of-Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof.
  • Computer system 300 may be a client or server, accessing or hosting any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software (“on-premise” cloud-based solutions); “as a service” models (e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infrastructure as a service (IaaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms.
  • Any applicable data structures, file formats, and schemas in computer system 300 may be derived from standards including but not limited to JavaScript Object Notation (JSON), Extensible Markup Language (XML), Yet Another Markup Language (YAML), Extensible Hypertext Markup Language (XHTML), Wireless Markup Language (WML), MessagePack, XML User Interface Language (XUL), or any other functionally similar representations alone or in combination. Alternatively, proprietary data structures, formats or schemas may be used, either exclusively or in combination with known or open standards.
  • In some embodiments, a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having control logic (software) stored thereon may also be referred to herein as a computer program product or program storage device. This includes, but is not limited to, computer system 300, main memory 308, secondary memory 310, and removable storage units 318 and 322, as well as tangible articles of manufacture embodying any combination of the foregoing. Such control logic, when executed by one or more data processing devices (such as computer system 300), may cause such data processing devices to operate as described herein.
  • Based on the teachings contained in this disclosure, it will be apparent to persons skilled in the relevant art(s) how to make and use embodiments of this disclosure using data processing devices, computer systems and/or computer architectures other than that shown in FIG. 3. In particular, embodiments can operate with software, hardware, and/or operating system implementations other than those described herein.
  • It is to be appreciated that the Detailed Description section, and not the Summary and Abstract sections, is intended to be used to interpret the claims. The Summary and Abstract sections may set forth one or more but not all exemplary embodiments of the present invention as contemplated by the inventor(s), and thus, are not intended to limit the present invention and the appended claims in any way.
  • Embodiments of the present invention have been described above with the aid of functional building blocks illustrating the implementation of specified functions and relationships thereof. The boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed.
  • The foregoing description of the specific embodiments will so fully reveal the general nature of the invention that others can, by applying knowledge within the skill of the art, readily modify and/or adapt for various applications such specific embodiments, without undue experimentation, without departing from the general concept of the present invention. Therefore, such adaptations and modifications are intended to be within the meaning and range of equivalents of the disclosed embodiments, based on the teaching and guidance presented herein. It is to be understood that the phraseology or terminology herein is for the purpose of description and not of limitation, such that the terminology or phraseology of the present specification is to be interpreted by the skilled artisan in light of the teachings and guidance.
  • It is to be appreciated that the Detailed Description section, and not the Summary and Abstract sections, is intended to be used to interpret the claims. The Summary and Abstract sections may set forth one or more but not all exemplary embodiments of the present invention as contemplated by the inventor(s), and thus, are not intended to limit the present invention and the appended claims in any way.
  • The breadth and scope of the present invention should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims (20)

1. A method for controlling access to a website, comprising:
receiving a request from a mobile device to access a backend redirect page using a first address from a plurality of addresses;
generating, by the backend redirect page, a unique session identifier and an address to the website based on the unique session identifier, wherein a portion of the address to the website includes the unique session identifier;
redirecting, by the backend redirect page, a browser on the mobile device to the website using the address, wherein the website has one or more pages;
verifying, by an intake backend for frontend (IBFF), whether the unique session identifier for the address is valid by extracting the unique session identifier from the address;
based on the verifying, either granting or denying, by the IBFF, the mobile device access to the website, wherein granting access occurs when the unique session identifier is valid, and denying access occurs when the unique session identifier is invalid.
2. The method of claim 1, wherein the website has a first page from the one or more pages with a link to a second page of the one or more pages, the second page having a second address based on the unique session identifier, and
the method further comprising:
in response to receiving a request from the mobile device to access the second page using the second address, verifying, by the IBFF, whether the unique session identifier for the second address is valid;
based on the verifying, either granting or denying, by the IBFF, the mobile device access to the second page, wherein granting access to the second page occurs when the unique session identifier is valid, and denying access to the second page occurs when the unique session identifier is invalid.
3. The method of claim 1, further comprising:
monitoring, by a session monitor, a time since the backend redirect page generated the unique session identifier; and
based on the monitoring, either maintaining, by the backend redirect page, the unique session identifier in a list of active sessions or removing, by the backend redirect page, the unique session identifier from the list of active sessions, wherein the maintaining occurs when the time is less than the predefined session length and the removing occurs when the time is greater than the predefined session length,
wherein the unique session identifier is valid when it is contained in the list of active sessions and the unique session identifier is invalid when it is not contained in the list of active sessions.
4. The method of claim 1, further comprising providing a Quick Response (QR) code to a user of the mobile device which, when scanned, generates the request to access the backend redirect page on the mobile device using the first address.
5. The method of claim 1, wherein the first address is associated with an identifier of a first employee.
6. The method of claim 5, wherein a second address from the plurality of addresses is associated with an identifier of a second employee, wherein the second address also provides access to the backend redirect page.
7. The method of claim 6, wherein:
in response to the first address being accessed, generating the unique session identifier further comprises associating the unique session identifier with the identifier of the first employee; and
in response to the second address being accessed, generating the unique session identifier further comprises associating the unique session identifier with the identifier of the second employee.
8. The method of claim 1, wherein the address is a combination of a first part of a website address and the unique session identifier.
9. A system for controlling access to a website, the system comprising:
one or more processors;
memory communicatively coupled to the one or more processors, the memory storing instructions which, when executed by the one or more processors, cause the one or more processors to:
provide the website, the website comprising one or more pages with configurable addresses, wherein each page of the one or more pages may be accessed by a respective configurable address from the configurable addresses;
provide a backend redirect page configured to, in response to receiving a request to access the backend redirect page from a mobile device using a first address from a plurality of addresses:
generate a unique session identifier;
configure the configurable addresses into first configured addresses based on the unique session identifier, wherein a portion of the configurable address includes the unique session identifier;
redirect a browser on the mobile device to a first page from the one or more pages using a corresponding configured address from the first configured addresses;
determine whether unique session identifiers corresponding to the configured addresses are valid; and
provide an intake backend for frontend (IBFF) configured to:
in response to receiving a request from the mobile device to access a respective page from the one or more pages of the website, query the backend redirect page to determine whether a respective unique session identifier corresponding to the respective configured address from the respective page is valid by extracting the unique session identifier from the configurable address; and
based on the query, either grant or deny the mobile device access to the website, wherein the IBFF grants access when the unique session identifier is valid, and denies access when the unique session identifier is invalid.
10. The system of claim 9, further comprising a session timer configured to:
monitor a time since the backend redirect page generated the unique session identifier; and
based on the time monitored, either maintain the unique session identifier in a list of active sessions or remove the unique session identifier from the list of active sessions, wherein the session timer maintains the unique session identifier in the list of active sessions when the time is less than the predefined session length and the session timer removes the unique session identifier from the list of active sessions when the time is greater than the predefined session length,
wherein the unique session identifier is valid when it is contained in the list of active sessions and the unique session identifier is invalid when it is not contained in the list of active sessions.
11. The system of claim 9, wherein the first address is associated with an identifier of a first employee.
12. The system of claim 11, wherein a second address from the plurality of addresses is associated with an identifier of a second employee.
13. The system of claim 12, wherein the backend redirect page is further configured to:
in response to the first address being accessed, generate the unique session identifier and associate the unique session identifier with the identifier of the first employee; and
in response to the second address being accessed, generate the unique session identifier and associate the unique session identifier with the identifier of the second employee.
14. The system of claim 9, wherein the backend redirect page is configured to configure the configurable addresses based on the unique session identifier by inserting the unique session identifier into each of the respective configurable addresses.
15. A non-transitory computer readable storage medium having computer readable instructions stored therein that, when executed by a computer, cause the computer to perform operations comprising:
receiving a request from a mobile device to access a backend redirect page accessible at a first address of a plurality of addresses;
in response to the mobile device accessing the first address, generating a unique session identifier and an address to a website based on the unique session identifier, wherein a portion of the address to the website includes the unique session identifier;
redirecting a browser on the mobile device from the backend redirect page to the website using the address, wherein the website has one or more pages;
verifying whether the unique session identifier for the address is valid by extracting the unique session identifier from the address;
based on the verifying, either granting or denying the mobile device access to the website, wherein granting access occurs when the unique session identifier is valid, and denying access occurs when the unique session identifier is invalid.
16. The non-transitory computer readable storage medium of claim 15, wherein:
the website has a first page from the one or more pages with a link to a second page of the one or more pages, the second page having a second address based on the unique session identifier, and
the instructions are further configured to cause the computer to perform operations comprising:
in response to the second page being accessed by the mobile device, verifying whether the unique session identifier for the second address is valid; and
based on the verifying, either granting or denying the mobile device access to the second page, wherein granting access occurs when the unique session identifier is valid, and denying access occurs when the unique session identifier is invalid.
17. The non-transitory computer readable storage medium of claim 15, wherein the instructions are further configured to cause the computer to perform operations comprising:
monitoring a time since the backend redirect page generated the unique session identifier; and
based on the monitoring, either maintaining the unique session identifier in a list of active sessions or removing the unique session identifier from the list of active sessions, wherein the maintaining occurs when the time is less than the predefined session length and the removing occurs when the time is greater than the predefined session length,
wherein the unique session identifier is valid when it is contained in the list of active sessions and the unique session identifier is invalid when it is not contained in the list of active sessions.
18. The non-transitory computer readable storage medium of claim 15, wherein the first address is associated with an identifier of a first employee.
19. The non-transitory computer readable storage medium of claim 18, wherein:
a second address from the plurality of addresses is associated with an identifier of a second employee, wherein the backend redirect page is accessible at the second address; and
the instructions are further configured to cause the computer to perform operations comprising:
in response to the first address being accessed, generating the unique session identifier further comprises associating the unique session identifier with the identifier of the first employee; and
in response to the second address being accessed, generating the unique session identifier further comprises associating the unique session identifier with the identifier of the second employee.
20. The non-transitory computer readable storage medium of claim 15, wherein the address is a combination of a first part of a website address and the unique session identifier.
US17/179,728 2021-02-19 2021-02-19 Qr code access restriction without geolocation knowledge Pending US20220269747A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/179,728 US20220269747A1 (en) 2021-02-19 2021-02-19 Qr code access restriction without geolocation knowledge

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US17/179,728 US20220269747A1 (en) 2021-02-19 2021-02-19 Qr code access restriction without geolocation knowledge

Publications (1)

Publication Number Publication Date
US20220269747A1 true US20220269747A1 (en) 2022-08-25

Family

ID=82899597

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/179,728 Pending US20220269747A1 (en) 2021-02-19 2021-02-19 Qr code access restriction without geolocation knowledge

Country Status (1)

Country Link
US (1) US20220269747A1 (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766298B1 (en) * 1999-09-03 2004-07-20 Cisco Technology, Inc. Application server configured for dynamically generating web pages for voice enabled web applications
US20070245027A1 (en) * 2006-03-31 2007-10-18 Avaya Technology Llc User session dependent URL masking
US20110078769A1 (en) * 2009-09-29 2011-03-31 Fujifilm Corporation Electronic file browsing system and control method thereof
US20130041734A1 (en) * 2011-04-06 2013-02-14 Gregory S. Dean Method of Passing and Redeeming Coupons Via Webpage Accessed from Mobile Phone
US20130151552A1 (en) * 2011-12-07 2013-06-13 Google Inc. Reducing redirects
US20140359578A1 (en) * 2013-05-28 2014-12-04 Stefan Jesse Generating visually encoded dynamic codes for remote launching of applications
US20170185786A1 (en) * 2014-07-03 2017-06-29 Abb Schweiz Ag An apparatus and a method for processing data
US20200125700A1 (en) * 2018-10-19 2020-04-23 Oracle International Corporation Authorization proxy platform
US20210112072A1 (en) * 2019-10-10 2021-04-15 Versatile Credit, Inc. Methods for switchable matrix barcodes for secure website access

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766298B1 (en) * 1999-09-03 2004-07-20 Cisco Technology, Inc. Application server configured for dynamically generating web pages for voice enabled web applications
US20070245027A1 (en) * 2006-03-31 2007-10-18 Avaya Technology Llc User session dependent URL masking
US20110078769A1 (en) * 2009-09-29 2011-03-31 Fujifilm Corporation Electronic file browsing system and control method thereof
US20130041734A1 (en) * 2011-04-06 2013-02-14 Gregory S. Dean Method of Passing and Redeeming Coupons Via Webpage Accessed from Mobile Phone
US20130151552A1 (en) * 2011-12-07 2013-06-13 Google Inc. Reducing redirects
US20140359578A1 (en) * 2013-05-28 2014-12-04 Stefan Jesse Generating visually encoded dynamic codes for remote launching of applications
US20170185786A1 (en) * 2014-07-03 2017-06-29 Abb Schweiz Ag An apparatus and a method for processing data
US20200125700A1 (en) * 2018-10-19 2020-04-23 Oracle International Corporation Authorization proxy platform
US20210112072A1 (en) * 2019-10-10 2021-04-15 Versatile Credit, Inc. Methods for switchable matrix barcodes for secure website access

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Stackoverflow, Only allow access to URL in certain locations (qr codes),7/23/2015, https://stackoverflow.com/questions/31586548/only-allow-access-to-url-in-certain-locations-qr-codes" (Year: 2015) *

Similar Documents

Publication Publication Date Title
US10951618B2 (en) Refresh token for credential renewal
CN109617907B (en) Authentication method, electronic device, and computer-readable storage medium
CN110213356B (en) Login processing method based on data processing and related equipment
US11146589B2 (en) Out-of-band challenge in a computer system
CN112597472B (en) Single sign-on method, device and storage medium
US20170171191A1 (en) Certificate renewal and deployment
US20180196875A1 (en) Determining repeat website users via browser uniqueness tracking
US20230222504A1 (en) Authenticating a customer to a risk level using an authorization token
US11606349B2 (en) Authentication token refresh
WO2020140097A1 (en) Token management layer for automating authentication during communication channel interactions
US11893097B2 (en) System to utilize user's activities pattern as additional authentication parameter
JP7262378B2 (en) Authentication authorization system and authentication authorization method
WO2018118029A1 (en) Authenticate a first device based on a push message to a second device
US20240007457A1 (en) Time-based token trust depreciation
CN111753268B (en) Single sign-on method, single sign-on device, storage medium and mobile terminal
US20220269747A1 (en) Qr code access restriction without geolocation knowledge
CN112653673A (en) Multi-factor authentication method and system based on single sign-on
US10609013B2 (en) Twin factor authentication for controller
US11418501B2 (en) Automatic identity management with third party service providers
CN110572417B (en) Method, apparatus, server and storage medium for providing login ticket
CN111901299A (en) Application authentication method and device, electronic equipment and storage medium
CN111460411B (en) Method and system for keeping login state
US20240154952A1 (en) Method for global identity verification
CN116861402A (en) Login certificate management method and device, terminal equipment and storage medium
CN117411725A (en) Portal application authentication method and device and computer equipment

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

ZAAB Notice of allowance mailed

Free format text: ORIGINAL CODE: MN/=.